By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

MSSQL RDS Backup and Restore

0

I am trying to do a MSSQL database backup and restore (from one AWS account to another) following the native backup and restore documentation.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.html#SQLServer.Procedural.Importing.Native.Enabling

The backup seems to work fine to an S3 bucket. I am then downloading it from Account A and uploading it back to an S3 bucket in Account B.

When I then try to restore using

exec msdb.dbo.rds_restore_database @restore_db_name='database_name', @s3_arn_to_restore_from='arn:aws:s3:::bucket_name/file_name.extension',

I get the following error

Aborted the task because of a task failure or a concurrent RESTORE_DB request. Task has been aborted ** The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.**

This suggests to me an encryption issue however I have not specified a KMS key using the '@kms_master_key_arn' parameter on either the export or import which the documentation suggests should export an unencrypted DB:

The following parameters are optional:

@kms_master_key_arn – The ARN for the symmetric encryption KMS key to use to encrypt the item. *** If you don't specify a KMS key identifier, the backup file won't be encrypted.**

I'd appreciate any ideas if anyone has come across this problem before.

Topics
StorageSecurity, Identity, & ComplianceMigration & ModernizationAnalyticsDatabase
Tags
Amazon Simple Storage ServiceAWS Key Management ServiceAmazon Relational Database ServiceEncryption
Language
English
rePost-User-8381843
asked 2 years ago379 views
1 Answer
0

Can you please check how is your source database encrypted. If its encrypted with the default key, then the copied/shared snapshot can not be used in another account. Please take a look at this https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html

** Please accept the answer if it helps you resolve your issue **

AWS
Devinder-theDBGuy
answered 2 years ago
  • rePost-User-8381843
    2 years ago

    Hi,

    Thanks for the response, I can confirm this isn't encrypted with a default key the encryption on the database is with a custom KMS key.

    Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content